Is ICBC's online banking better than Bank of China's?

The analysis of ICBC U Shield and BOC E Order is as follows:

At present, the online banking security tools at the client mainly include digital certificates, dynamic passwords and mobile phone authentication. Digital certificates are widely used and have a high degree of security, which are usually stored in USBKey (commonly known as "U shield"). When users log on to the bank's website to conduct transactions, inserting Ukey into the computer is equivalent to showing the "network ID card" to the bank.

UKey hardware itself has a PIN code, which is equivalent to the password of our bank card. When users insert UKey into the computer, they can only use it after entering the PIN code. At the same time, the UKey certificate not only contains the user's identity information, but also contains another piece of special data information unique to the user, which is called "private key" academically, only unique to the user himself, and each user holds different information. Every time a user trades in online banking, the key information of the transaction will be sent to USBKey, and electronic signature will be made in USBKey. Simply put, as long as the USBKey is in the hands of users, it is difficult for hackers to intercept this password, and even if they succeed, it is difficult to complete the transfer. At present, China Merchants Bank [11.77 1.82% shares research report] and Industrial and Commercial Bank of China [4.11 .74% shares research report] are taking USBKey as the main security tools.

The Bank of China chose to use dynamic passwords to protect the security of users' online banking. A dynamic password is a password that can only be used once. The principle of this dynamic password is that it generates a randomly changing password at the user through a specific calculation method, and at the same time, the same password can be generated at the bank. When the user logs in to the online banking with this password, the two passwords are compared. If they match, it means that they have passed the verification, and the user can proceed to the next operation.

Bank of China's "E Order" is actually an "electronic dynamic password generator", which is a hardware dynamic password card introduced by Bank of China. It consists of a built-in power supply, a password generation chip and a display screen. According to a special calculation rule, a dynamic password will be automatically updated every 6 seconds, and users are required to enter it within 6 seconds to ensure the safety of online banking operation. However, this round of online banking fraud, the vast majority of cases are under the guise of "BOC e-order", and many users have questioned that the "BOC e-order" known as dynamic security has been ineffective at this time.

BOC staff responded by saying that BOC's security precautions for personal online banking accounts are recognized as safe and reliable by relevant state departments. Fraud is mainly caused by users logging into fake websites and being cheated of passwords and dynamic passwords, which has nothing to do with the design of online banking itself.

maybe not.

Let's take a look at the security system of online banking of Bank of China [2.96 1.2% shares]. At present, most banks adopt multi-factor and multi-channel authentication methods, and the security level is also high. However, when a large-scale "phishing case" occurs in China Bank's online banking, only dynamic password can be selected as a security tool, and the security protection measures are relatively simple. Not long ago, it has just been improved, adding the link of SMS authentication, which has been questioned by many customers.

Let's take a look at the dynamic password of the security tool mainly promoted by Bank of China's online banking. Experts from China Financial Certification Center believe that although the dynamic password changes once, there is still a certain period of time for this change. Usually, the dynamic password will be effective within 1 minute. It is this short minute that gives criminals an opportunity. The above-mentioned victims also expressed their dissatisfaction with the dynamic password: "One minute is enough for skilled people to complete the whole criminal process, and the dynamic password itself has problems."

However, the online banking of China Everbright Bank [3.8 1.65% shares], the only online banking company in prime bank that uses dynamic passwords like Bank of China, has always gained a good reputation among users, and similar incidents of phishing attacks are rare.

An expert in the industry who did not want to be named revealed that the problem is not the dynamic password, but an obvious loophole in the design of the dynamic password of China Bank.

He said that the dynamic password generator of China Everbright Bank is named Sunshine Token, and users need to enter a random password when logging in, and they need to enter a preset transfer password again when transferring money, and two protective lines are used to protect security. Before the online banking of China Bank, you only need to enter the password to complete the transfer. Once the phishing website intercepts or the password tag is lost, it is difficult to guarantee the security of the customer account.

BOC staff responded by saying that BOC's security precautions for personal online banking accounts are recognized as safe and reliable by relevant state departments. Fraud is mainly caused by users logging into fake websites and being cheated of passwords and dynamic passwords, which has nothing to do with the design of online banking itself.

maybe not.

Let's take a look at the security system of online banking of Bank of China [2.96 1.2% shares]. At present, most banks adopt multi-factor and multi-channel authentication methods, and the security level is also high. However, when a large-scale "phishing case" occurs in China Bank's online banking, only dynamic password can be selected as a security tool, and the security protection measures are relatively simple. Not long ago, it has just been improved, adding the link of SMS authentication, which has been questioned by many customers.

Let's take a look at the dynamic password of the security tool mainly promoted by Bank of China's online banking. Experts from China Financial Certification Center believe that although the dynamic password changes once, there is still a certain period of time for this change. Usually, the dynamic password will be effective within 1 minute. It is this short minute that gives criminals an opportunity. The above-mentioned victims also expressed their dissatisfaction with the dynamic password: "One minute is enough for skilled people to complete the whole criminal process, and the dynamic password itself has problems."

However, the online banking of China Everbright Bank [3.8 1.65% shares], the only online banking company in prime bank that uses dynamic passwords like Bank of China, has always gained a good reputation among users, and similar incidents of phishing attacks are rare.

An expert in the industry who did not want to be named revealed that the problem is not the dynamic password, but an obvious loophole in the design of the dynamic password of China Bank.

He said that the dynamic password generator of China Everbright Bank is named Sunshine Token, and users need to enter a random password when logging in, and they need to enter a preset transfer password again when transferring money, and two protective lines are used to protect security. Before the online banking of China Bank, you only need to enter the password to complete the transfer. Once the phishing website intercepts or the password tag is lost, it is difficult to guarantee the security of the customer account.